Amendments to the Claims 
Claims 1-4, 7-14, 31-34, 37-41, 44-46, and 50-51 were pending at the time of the 
Office Action. 

Claims 5-6, 15-30, 35-36, 42-43, 47-49, and 52-53 were previously withdrawn. 
Claims 31-34 and 37-39 are amended, claims 50-53 are canceled. 
Claims 1-4, 7-14, 31-34, 37-41, and 44-46 are pending. 

1. (Original) A method, implemented in a computing device, the method 
comprising: 

accessing a new security policy to be implemented by a plurality of security 
engines of the computing device and to be used by the plurality of security engines 
in place of a current security policy; 

each of the plurality of security engines processing at least a portion of the 
new security policy to establish new rules for operation of the security engine 
while the security engine continues to operate according to previous rules; and 

switching, after each of the plurality of security engines is ready to begin 
using the new security policy, each of the plurality of security engines to the new 
rules substantially concurrently. 

2. (Original) A method as recited in claim 1, further comprising stopping 
the plurality of security engines from processing the at least a portion of the new 
security policy if one or more of the plurality of security engines indicates that the 
processing by the security engine failed. 



2 



Application No. 10/729,530 



3. (Original) A method as recited in claim 1, wherein for each of the 
plurality of security engines, the security engine is ready to begin using the new 
security policy after the security engine has processed the at least a portion of the 
new security process and can nearly ensure that it can begin using the new rules as 
soon as it receives an indication to switch to the new security policy. 

4. (Original) A method as recited in claim 1, wherein the switching 
comprises calling, for each of the plurality of security engines, a function exposed 
by the security engine. 

5. (Withdrawn) A method as recited in claim 1, wherein the switching 
comprises writing a value to a shared data structure. 

6. (Withdrawn) A method as recited in claim 1, wherein the switching 
comprises firing an event across all of the security engines at once. 

7. (Original) A method as recited in claim 1, wherein the plurality of 
security engines includes an antivirus engine. 

8. (Original) A method as recited in claim 1, wherein the plurality of 
security engines includes a firewall engine. 

9. (Original) A method as recited in claim 1, wherein the plurality of 
security engines includes an intrusion detection engine. 
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10. (Original) A method as recited in claim 1, wherein the plurality of 
security engines includes a vulnerability analysis engine. 

11. (Original) A method as recited in claim 1, wherein the plurality of 
security engines includes a behavioral blocking engine. 

12. (Original) A method as recited in claim 1, wherein each of the 
plurality of security engines is part of a same application process. 

13. (Original) A method as recited in claim 1, wherein the plurality of 
security engines includes one or more of: an antivirus engine, a firewall engine, 
an intrusion detection engine, a vulnerability analysis engine, and a behavioral 
blocking engine. 

14. (Original) A method as recited in claim 13, wherein the switching 
comprises one or more of: 

calling, for each of the plurality of security engines, a function exposed by 
the security engine; 

writing a value to a shared data structure; and 

firing an event across all of the security engines at once. 
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15. (Withdrawn) One or more computer readable media having one or 
more instructions that, when executed by one or more processors of a device, 
cause the one or more processors to: 

obtain a new security policy for a plurality of security engines of the 
device; 

notify each of the plurality of security engines of one or more rules from 
the new security policy; and 

wait until each of the plurality of security engines has indicated that it is 
ready to begin using the new security policy; and 

after receipt of an indication that each of the plurality of security engines is 
ready to begin using the new security policy, instruct each of the plurality of 
security engines to begin using the new security policy. 

16. (Withdrawn) One or more computer readable media as recited in claim 

15, wherein to instruct each of the plurality of security engines to begin using the 
new security policy is to send a switch indication to each of the plurality of 
security engines substantially concurrently. 

17. (Withdrawn) One or more computer readable media as recited in claim 

16, wherein to send the switch indication is to call, for each of the plurality of 
security engines, a function exposed by the security engine. 
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18. (Withdrawn) One or more computer readable media as recited in claim 
16, wherein to send the switch indication is to write a value to a shared data 
structure. 

19. (Withdrawn) One or more computer readable media as recited in claim 
16, wherein to send the switch indication is to fire an event across all of the 
security engines at once. 

20. (Withdrawn) One or more computer readable media as recited in claim 
15, wherein the plurality of security engines includes one or more of: an antivirus 
engine, a firewall engine, an intrusion detection engine, a vulnerability analysis 
engine, and a behavioral blocking engine. 

21. (Withdrawn) One or more computer readable media as recited in claim 
20, wherein to instruct each of the plurality of security engines to begin using the 
new security policy is to: 

call, for each of the plurality of security engines, a function exposed by the 
security engine; 

write a value to a shared data structure; and 

fire an event across all of the security engines at once. 

22. (Withdrawn) One or more computer readable media as recited in claim 
15, wherein the one or more instructions further cause the one or more processors 
to issue, in response to an indication from one of the plurality of security engines 
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that it has failed in getting ready to begin using the new security policy, an 
indication to each of the plurality of security engines to ignore the new security 
policy. 

23. (Withdrawn) A method comprising: 

notifying each of a plurality of security service providers in a computing 
device of one or more new rules; 

waiting until each of the plurality of security service providers has 
indicated that it is ready to begin using the one or more new rales it was notified 
of; and 

indicating, to each of the plurality of security service providers after receipt 
of the indications that the plurality of security service providers are ready to begin 
using the one or more new rules they were notified of, that the security service 
provider is to begin using the one or more new rules it was notified of. 

24. (Withdrawn) A method as recited in claim 23, wherein each of the 
plurality of security service providers is notified of a different set of one or more 
new rules. 

25. (Withdrawn) A method as recited in claim 23, wherein the indicating 
to each of the plurality of security service providers that the security service 
provider is to begin using the one or more new rules comprises calling, for each of 
the plurality of security service providers, a function exposed by the security 
service provider. 
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26. (Withdrawn) A method as recited in claim 23, wherein the indicating 
to each of the plurality of security service providers that the security service 
provider is to begin using the one or more new rules comprises writing a value to a 
shared data structure. 

27. (Withdrawn) A method as recited in claim 23, wherein the indicating 
to each of the plurality of security service providers that the security service 
provider is to begin using the one or more new rules comprises firing an event 
across all of the security service providers at once. 

28. (Withdrawn) A method as recited in claim 23, wherein the plurality of 
security service providers includes one or more of: an antivirus engine, a firewall 
engine, an intrusion detection engine, a vulnerability analysis engine, and a 
behavioral blocking engine. 

29. (Withdrawn) A method as recited in claim 28, wherein the indicating 
to each of the plurality of security service providers that the security service 
provider is to begin using the one or more new rules comprises one or more of: 

calling, for each of the plurality of security service providers, a function 
exposed by the security service provider; 

writing a value to a shared data structure; and 

firing an event across all of the security service providers at once. 
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30. (Withdrawn) A method as recited in claim 23, further comprising 
indicating, in response to an indication from one of the plurality of security service 
providers that it has failed in getting ready to begin using the one or more new 
rules it was notified of, to each of the plurality of security service providers to 
delete the one or more new rules it was notified of. 

31. (Currently amended) One or more computer readable storage m edia 
having one or more instructions that, when executed by one or more processors, 
causes the one or more processors to: 

receive an indication of a new security policy to be used; 

generate a new set of rules having associated data based on the new security 

policy; 

continue to use a previous set of rules and associated data until an 
indication to begin using the new set of rules and associated data is identified; and 
using, upon identifying the indication, the new set of rules and associated 

data. 

32. (Currently amended) One or more computer readable storage media as 
recited in claim 31, wherein the one or more instructions are part of a security 
engine. 

33. (Currently amended) One or more computer readable storage media as 
recited in claim 31, wherein the indication of the new security policy comprises 
one or more rules from which the new set of rules can be generated. 
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34. (Currently amended) One or more computer readable storage m edia as 
recited in claim 31, wherein the indication to begin using the new set of rules and 
associated data is identified comprises a function exposed by the one or more 
instructions being invoked. 

35. (Withdrawn) One or more computer readable media as recited in claim 
31, wherein the indication to begin using the new set of rules and associated data 
is identified comprises identifying, in a shared data structure, a value indicating to 
begin using the new set of rules and associated data. 

36. (Withdrawn) One or more computer readable media as recited in claim 
31, wherein the instructions further cause the one or more processors to begin 
polling an event, and wherein the indication to begin using the new set of rules and 
associated data is identified comprises detecting that the event has been fired. 

37. (Currently amended) One or more computer readable storage m edia as 
recited in claim 31, wherein the one or more instructions comprises one of: an 
antivirus service provider, a firewall service provider, an intrusion detection 
service provider, a vulnerability analysis service provider, and a behavioral 
blocking service provider. 
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38. (Currently amended) One or more computer readable storage m edia as 
recited in claim 37, wherein the indication to begin using the new set of rules and 
associated data is identified comprises one or more of: 

having a function exposed by the one or more instructions invoked; 
identifying, in a shared data structure, a value indicating to begin using the 
new set of rules and associated data; and 

detecting that an event being polled has been fired. 

39. (Currently amended) One or more computer readable storage m edia as 
recited in claim 31, wherein the one or more instructions further cause the one or 
more processors to receive an indication to rollback, and in response to the 
indication to rollback ignore the new set of rules. 

40. (Original) A method, implemented in a security engine of a computing 
device, the method comprising: 

receiving a new set of rules to be enforced; 

using a previous set of rules until an indication to begin using the new set 
of rules is received; and 

enforcing, in response to receipt of the indication, the new set of rules. 

41. (Original) A method as recited in claim 40, wherein the indication 
comprises having a function exposed by the security engine invoked. 



11 



Application No. 10/729,530 



42. (Withdrawn) A method as recited in claim 40, wherein the indication 
comprises identifying, in a shared data structure, a value indicating to begin using 
the new set of rules. 

43. (Withdrawn) A method as recited in claim 40, wherein the indication 
comprises detecting that an event being polled has been fired. 

44. (Original) A method as recited in claim 40, wherein the plurality of 
security engines includes one or more of: an antivirus engine, a firewall engine, 
an intrusion detection engine, a vulnerability analysis engine, and a behavioral 
blocking engine. 

45. (Original) A method as recited in claim 44, wherein the indication 
comprises one or more of: 

having a function exposed by the security engine invoked; 
identifying, in a shared data structure, a value indicating to begin using the 
new set of rules and associated data; and 

detecting that an event being polled has been fired. 

46. (Original) A method as recited in claim 40, further comprising: 
receiving an indication to ignore the new set of rules; and 

in response to the indication to ignore the new set of rules, not enforcing 
the new set of rules but continuing to enforce the previous set of rales. 
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47. (Withdrawn) A system comprising: 

a policy reader to obtain a new security policy to be enforced on the 
system; 

a plurality of security service providers; 

a rule set generator to generate, for each of the plurality of security service 
providers, a new set of rules to implement the new security policy; 

a manager to send, to all of the plurality of security service providers at 
substantially the same time, an indication to begin using the new set of rules; and 

wherein each of the plurality of security service providers continues to 
enforce a previous set of rules until instructed to enforce the new set of rules. 

48. (Withdrawn) A system as recited in claim 47, wherein the plurality of 
security service providers includes one or more of: an antivirus engine, a firewall 
engine, an intrusion detection engine, a vulnerability analysis engine, and a 
behavioral blocking engine. 

49. (Withdrawn) A system as recited in claim 48, wherein the manager is 
to send the indication by performing one or more of: 

calling, for each of the plurality of security service providers, a function 
exposed by the security service provider; 

writing a value to a shared data structure; and 

firing an event across all of the security service providers at once. 

50-53. (Canceled) 



lee@hayes pic 



13 



Application No. 10/729,530 



